Another Active Scripting Bug in Internet Explorer 5.0

You might already know that a user has uncovered yet another Active Scripting bug within Internet Explorer (IE) 5.0. The discovery doesn't surprise me; we’ve seen numerous discoveries of this nature in the past, and I fully expect to see more in the future. What surprises me is the number of people who write saying they don't have a clue how to protect themselves against these types of security risks.

To help protect against any security risk, you need to analyze the nature of the risk to see what avenues people are using to exploit it. If you know how the risk is exploitable, you can use that information to prevent an attack. In the case of the newly reported IE5 problem, the risk relates to Active Scripting, so disabling Active Scripting will eliminate the risk. And that leads to another concern. Many of you have written saying you don't know how to disable Active Scripting, cookies, Java, and a variety of other potentially dangerous technologies in your Web browser.

More than a few of you suggested that Windows NT Magazine publish an article that explains how to handle IE's security settings. So, I wrote a feature, which you'll find in an upcoming edition of Windows NT Magazine. But while you're waiting for the article to appear, let me offer you some advice that will dramatically increase your safety level while surfing the Web.

First, I can't stress enough how important it is to learn the ins and outs of using the features available in your software-based tools. Without knowledge of the feature set (especially security-related features) you might be destined for a catastrophe. It takes time to learn these details, but it's always well worth the effort. Software is no different than any hand tool, where improper use can lead to an accident. I wouldn't dream of using a power saw without knowing how to control the device, and the same thing goes for my Web browser. Consider studying your software features in detail—especially those related to security.

Also, when a vendor issues a security bulletin that details a way to work around a given risk, study that information carefully because it might offer valuable insight into a software package's operation. For example, with this new IE5 problem, Microsoft details a way to prevent the risk by adjusting the browser's security settings. When you follow those directions, you'll notice other security settings for a variety of supported technologies, including Java, cookies, and more. Instead of quickly scanning through the IE security setting structure to look for an exact item, take time to peruse the dialog and note the other options. This approach helps you become familiar with that area of the software, and if a new IE risk is reported later, you'll be better equipped to make speedy software adjustments—quite possibly without relying on a vendor's suggestions. As you'll discover, in many cases, one tidbit of security information (such as a simple browser tweak) is relevant to many other aspects of security, so keep the information in mind as time wears on—especially when it comes to NT and IE.

This advice might sound simplistic to advanced security folks, but let's not forget that everyone isn't at an advanced level of knowledge regarding information security. Until next time, have a great week.